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Proofs by logical relations play a key role to establish rich properties such as normalization or con¬ 
textual equivalence. They are also challenging to mechanize. In this paper, we describe the complete¬ 
ness proof of algorithmic equality for simply typed lambda-terms by Crary where we reason about 
logically equivalent terms in the proof environment Beluga. There are three key aspects we rely 
upon: 1) we encode lambda-terms together with their operational semantics and algorithmic equal¬ 
ity using higher-order abstract syntax 2) we directly encode the corresponding logical equivalence 
of well-typed lambda-terms using recursive types and higher-order functions 3) we exploit Beluga’s 
support for contexts and the equational theory of simultaneous substitutions. This leads to a direct 
and compact mechanization, demonstrating Beluga’s strength at formalizing logical relations proofs. 


1 Introduction 


Proofs by logical relations play a fundamental role to establish rich properties such as contextual equiva¬ 
lence or normalization. This proof technique goes back to Tait (26) and was later refined by Girard (12). 
The central idea of logical relations is to specify relations on well-typed terms via structural induction 
on the syntax of types instead of directly on the syntax of terms themselves. Thus, for instance, logically 
related functions take logically related arguments to related results, while logically related pairs consist 
of components that are related pairwise. 

Mechanizing logical relations proofs is challenging: first, specifying logical relations themselves 
typically requires a logic which allows arbitrary nesting of quantification and implications; second, to 
establish soundness of a logical relation, one must prove the Fundamental Property which says that any 
well-typed term under a closing simultaneous substitution is in the relation. This latter part requires 
some notion of simultaneous substitution together with the appropriate equational theory of composing 
substitutions. As Altenkirch dH) remarked. 


“I discovered that the core part of the proof (here proving lemmas about CR) is fairly 
straightforward and only requires a good understanding of the paper version. However, 
in completing the proof I observed that in certain places I had to invest much more work 
than expected, e.g. proving lemmas about substitution and weakening.” 

While logical normalization proofs often are not large, they are conceptually intricate and mechaniz¬ 
ing them has become a challenging benchmark for proof environments. There are several key questions, 
when we attempt to formalize such proofs: How should we represent the abstract syntax tree for lambda- 
terms and enforce the scope of bound variables? How should we represent well-typed terms or typing 
derivations? How should we deal with substitution? How can we define the logical relation on closed 
terms? 

Early work <M;0) represented lambda-terms using (well-scoped) de Bruijn indices which leads 
to a substantial amount of overhead to prove properties about substitutions such as substitution lemmas 
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and composition of substitution. To improve readability and generally better support such meta-theoretic 
reasoning, nominal approaches support a-renaming but substitution and properties about them are spec¬ 
ified separately; the Isabelle Nominal package has been used in a variety of logical relations proofs 
from proving strong normalization for Moggi’s modal lambda-calculus ([ 7 !) to mechanically verifying the 
meta-theory of LF itself including the completeness of equivalence checking (161: 127(1 . 

Approaches representing lambda-terms using higher-order abstract syntax (HOAS) trees (also called 
A-tree syntax) model binders in the object language (i.e. in our case the simply typed lambda-calculus) 
as binders in the meta language (i.e. in our case the logical framework LF (]131) ). Such encodings inherit 
not only a-renaming and substitution from the meta-language, but also weakening and substitution lem¬ 
mas. However, direct encodings of logical relations proofs is beyond the logical strength supported in 
systems such as Twelf <QJ). In this paper, we demonstrate the power and elegance of logical relations 
proofs within the proof environment Beluga (22) which is built on top of the logical framework LF. 
Beluga allows programmers to pair LF objects together with their surrounding context and this notion is 
internalized as a contextual type [ l F F A] which is inhabited by term M of type A in the context V P (fl5h . 
Proofs about contexts and contextual LF objects are then implemented as dependently-typed recursive 
functions via pattern matching CM). Beluga’s functional language supports higher-order functions 
and indexed recursive data-types (yl) which we use to encode the logical relation. As such it does not 
impose any restrictions as for example found in Twelf <0 which does not support arbitrary quantifier 
alternation or Delphin (23) which lacks recursive data-types. Recently, Beluga has been extended to first- 
class simultaneous substitutions allowing abstraction over substitutions and supporting a rich equational 
theory about them (0;0). 

In this paper, we describe the completeness proof of algorithmic equality for simply typed lambda- 
terms by Crary (@) where we reason about logically equivalent terms in the proof environment Beluga. 
There are three key aspects we rely upon: 1) we encode lambda-terms together with their operational 
semantics together with algorithmic equality using higher-order abstract syntax 2) we directly encode 
the corresponding logical equivalence of well-typed lambda-terms using recursive types and higher- 
order functions 3) we exploit Beluga’s support for contexts and the equational theory of simultaneous 
substitutions. This leads to a direct and compact mechanization and allows us to demonstrate Beluga’s 
strength at formalizing logical relations proofs. Based on this case study we also draw some general 
lessons. 


2 Proof Overview: Completeness of Algorithmic Equality 

In this section we give a brief overview of the motivation and high level structure of the completeness 
proof of algorithmic equality. For more detail, we refer the reader to (@) and 0. Extensions of this 
proof are important for the metatheory of dependently typed systems such as LF and varieties of Martin- 
Lof Type Theory, where they are used to establish decidability of typechecking. The proof concerns 
three judgements, the first of which is declarative equivalence: 

T \~ M = N : A terms M and N are declaratively equivalent at type A 

Declarative equivalence includes convenient but non-syntax directed rules such as transitivity and 
symmetry, among rules for congruence, extensionality and /3-contraction. We will see the full definition 
in Sec. [3] In particular, it may include apparently type-directed rules such as extensionality at unit type: 

FhM: Unit FhiV: Unit 
T\- M = N : Unit 
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This rule relies crucially on type information, so the common untyped rewriting strategy for deciding 
equivalence no longer applies. Instead, one can define an algorithmic notion of equivalence which is 
directed by the syntax of types. This is the path we follow here. We define algorithmic term equivalence 
mutually with path equivalence, which is the syntactic equivalence of terms headed by variables, i.e. 
terms of the form xM\ 

r b M <=>-N : A terms M and N are algorithmically equivalent at type A 
YYM^N:A paths M and N are algorithmically equivalent at type A 

In what follows, we sketch the proof of completeness of algorithmic equivalence for declarative 
equivalence. A direct proof by induction over derivations fails unfortunately in the application case 
where we need to show that applying equivalent terms to equivalent arguments yields equivalent results, 
which is not so easy. Instead, one can proceed by proving a more general statement that declaratively 
equivalent terms are logically equivalent, and so in turn algorithmically equivalent. Logical equivalence 
is a relation defined directly on the structure of the types. We write it as follows: 

r b M ss N : A Terms M and N are logically equivalent at type A 

The key case is at function type, which directly defines logically equivalent terms at function type as 
taking logically equivalent arguments to logically equivalent results. Crary defines: 

T b ^M 2 :A=> B iff for all A > T and N u N 2 , 

if A b Ni « N 2 : A 

then A b M\ N\ « M 2 N 2 : B 

A key complication is the quantification over all extensions A of the context I . This is essential to 
show completeness of the algorithmic rule for function types, which states that that to compare two terms 
FbM«W:/l => B it suffices to compare their applications to fresh variables: T, x : A b Mx o Nx : B. The 
generalization to all extensions A of T then arises naturally. This Kripke-style monotonicity condition 
is one of the reasons that this proof is more challenging than normalization proofs for simply typed 
lambda-terms, where this quantification can often be avoided using other technical tricks. 

For our formalization, we take a slightly different approach which better exploits the features of 
Beluga available to us. We instead quantify over an arbitrary context A together with a simultaneous 
substitution n which provides for each x:T in F. a path M satisfying AbMftM : T. We will call such 
a substitution a path substitution and write this condition as A b n : T. In the course of the completeness 
proof, n will actually only ever be instantiated by substitutions which simply perform weakening. That is, 
A will be of the form I 1 v where Y = x\ A 1 , ...,x n \A n and n will be of the form F. Y' b x\ /x\, ...,x n /x n : I . 
However, the extra generality of path substitutions surprisingly does no harm to the proof, and tits well 
within Beluga. 

r b ss M 2 : A => B iff for all A, path substitutions A b n : T, and N\ , Ab 

if A b N x « N 2 : A 

then A b Mi [n\ Aj « M 2 [n\ N 2 : B 

The high level goal is to establish that declaratively equivalent terms are logically equivalent, and 
that logically equivalent terms are algorithmically equivalent. The proof requires establishing a few key 
properties of logical equivalence. The first is monotonicity, which is crucially used for weakening logical 
equivalence. This is used when applying terms to fresh variables. 

Lemma 2.1 (Monotonicity) 

IfY b M ~ A : A and AblT is a path substitution, then AbM[l] : A 
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The second key property is (backward) closure of logical equivalence under weak head reduction. 
This is proved by induction on the type A. 

Lemma 2.2 (Logical weak head closure) 

7/r b Ni « N 2 : A and M\ —>* wh and M 2 —>* wh N 2 then T b M x ss M 2 : A 

In order to escape logical equivalence to obtain algorithmic equivalence in the end, we need the 
main lemma, which is a mutually inductive proof showing that path equivalence is included in logical 
equivalence, and logical equivalence is included in algorithmic equivalence: 

Lemma 2.3 (Main lemma) 

1. IfYYM^N'.A then Y\-MmN:A 

2. IfYYM^N:AthenYYM^N:A 

Also required are symmetry and transitivity of logical equivalence, which in turn require symmetry 
and transitivity of algorithmic equivalence, determinacy of weak head reduction, and uniqueness of types 
for path equivalence. We will not go into detail about these lemmas, as they are relatively mundane, but 
refer the reader to the discussion in (@). 

What remains is to show that declarative equivalence implies logical equivalence. This requires a 
standard technique to generalize the statement to all instantiations of open terms by related substitu¬ 
tions. If (71 is of the form M\ jx \, ....M n /x n and a 2 is of the form /V| /x \. ....N n /x n and I is of the form 
x\ 'A i,..., x n :A n , we write A b Ci « o 2 : Y to mean that A b Mj sa Nj : A,- for all i. 

Theorem 2.4 (Fundamental theorem) 

IfY\~M = N :A and A b « a 2 : Y then A b M\c x ] ss N[a 2 ] : A 

The proof goes by induction on the derivation of Y b M = N : A. We show one interesting case in 
order to demonstrate some sources of complexity. 

Y,x:AYM l =M 2 :B 
Proof Case: Y b Xx.M\ = Xx.M 2 :A^B 

1. Suppose we are given A', a path substitution A' b n : A and Ni,N 2 with A' b N\ ~ N 2 : A. 

2. We have A! b <7i [n\ ~ o 2 [/r] : Y (by monotonicity) 

3. Hence A' b (c\ [jr],iVi /x) ~ (o 2 [k\,N 2 /x) : Y,x : A (by definition) 

4. Hence A' YM\ [<7i [n\,N\/x] ^ M 2 [o 2 [7t\,N 2 /x] :B (by induction hypothesis) 

5. Hence A' b M\ [<7i [n\,x/x\[N\/x\ ^ M 2 [a 2 [7t\,x/x][N 2 /x] : B (by substitution properties) 

6 . Hence A' b (Xx.M i [ai [k],x/x\) N\ ~ (Xx.M 2 [a 2 [n\,x/x\) N 2 : B (by weak head closure) 

7. Hence A! b (( Xx.M\)[o\\)[tz\ N\ ~ (( Xx.M 2 )[a 2 ])[it\ N 2 : B (by substitution properties) 

8 . Hence A b ( Xx.M])[a\\ « (Xx.M 2 )[o 2 \ \A^B (by definition of logical equivalence) 

We observe that this proof relies heavily on equational properties of substitutions. Some of this com¬ 
plexity appears to be due to our choice of quantifying over substitutions A b n : Y instead of extensions 
A > T. However, we would argue that reasoning instead about extensions A > T does not remove this 
complexity, but only rephrases it. 

Finally, by establishing the relatedness of the identity substitution to itself, i.e. T b id «id : T we can 
combine the fundamental theorem with the main lemma to obtain completeness. 

Corollary 2.5 (Completeness) IfY\~M = N:A then Y\~ M <^N : A 
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3 Mechanization 

We mechanize the development of the declarative and algorithmic equivalence together with its com¬ 
pleteness proof in Beluga, a dependently typed proof language built on top of the logical framework 
LF. The central idea is to specify lambda-terms, small-step semantics, and type-directed algorithmic 
equivalence in the logical framework LF. This allows us to model bindings uniformly using the LF 
function space and obviates the need to model and manage names explicitly. Beluga’s proof language 
allows programmers to encapsulate LF objects together with their surrounding context as contextual 
objects and provides support for higher-order functions, indexed recursive types, and pattern matching 
on contexts and contextual objects. We define logical equivalence and (for technical reasons) declara¬ 
tive equivalence using indexed recursive types. All our proofs will then be implemented as recursive 
functions using pattern matching and pass the totality checker. The complete source code for our de¬ 
velopment can be found in the directory exampies/iogrei of the Beluga distribution which is available at 
https://github.com/Beluga-lang/Beluga 


3.1 Encoding lambda-terms, typing and reduction in the logical framework LF 

Our proof is about a simply-typed lambda calculus with one base type i. Extending the proof to support 
a unit type and products is straightforward. We describe the types and terms in LF as follows, employing 
FIOAS for the representation of lambda abstraction. That is, we express the body of the lambda expres¬ 
sion as an LF function tm tm. There is no explicit case for variables; they are implicitly handled by 
LF. We show side by side the corresponding grammar. 

::= i\T^S 
::= x | lamx.M | appMN 

I lam : (tm —> tm) —> tm; 


LF tp : type = Types Ts 

I i : tp JU ; 

I => : tp —r tp —r tp ‘/, infix 

LF tm : type = Terms M jy 

I app : tm —r tm —r tm 


Finally, we describe also weak head reduction for our terms. Notice here that the substitution of N into 
M in the f3 -reduction case is accomplished using LF application. We then describe multi-step reductions 
as a sequence of single step reductions. All free variables occurring in the LF signature are reconstructed 
and bound implicitly at the outside. 

LF step : tm —> tm —T type = 

I beta : step (app (lam M) N) (M N) 

I stepapp : step M M’ —T step (app M N) (app M’ N); 

LF mstep : tm —r tm —r type = 

I refl : mstep M M 

I transl : step M M’ —> mstep M’ M’’ —» mstep MM’’; 


3.2 Encoding algorithmic equivalence 

We now describe the algorithmic equality of terms. This is defined as two mutually recursive LF specifi¬ 
cations. We write aigeqTm M N T for algorithmic equivalence of terms m and N at type T and aigeqP p q x 
for algorithmic path equivalence at type T - these are terms whose head is a variable, not a lambda ab¬ 
straction. Term equality is directed by the type, while path equality is directed by the syntax. Two terms 
M and N at base type i are equivalent if they weak head reduce to weak head normal terms p and Q which 
are path equivalent. Two terms m and N are equivalent at type T =>■ s if applying them to a fresh variable x 
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of type T yields equivalent terms. Variables are only path equivalent to themselves, and applications are 
path equivalent if the terms at function position are path equivalent, and the terms at argument positions 
are term equivalent. 

LF algeqTm: tm — > tm — > tp -4 type = 

I algbase: mstep HP-) mstep HI)-) algeqP P Q i — > algeqTm M N i. 

I algarr : ({x:tm} algeqP x x T — > algeqTm (app M x) (app N x) S) —> algeqTm M N (arr T S) 
and algeqP : tm — )■ tm —> tp -4 type 

I algapp : algeqP Ml M2 (arr IS)-) algeqTm N1 N2 T -> algeqP (app Ml Nl) (app M2 N2) S; 

By describing algorithmic equality in LF, we gain structural properties and substitution for free. For 
this particular proof, only weakening is important. 

A handful of different forms of contexts are relevant for this proof. We describe these with schema 
definitions in Beluga. Schemas classify contexts in a similar way as LF types classify LF objects. 
Although schemas are similar to Twelf’s world declarations, schema checking does not involve verifying 
that a given LF type family only introduces the assumptions specified in the schema; instead schemas will 
be used by the computation language to guarantee that we are manipulating contexts of a certain shape. 
Below, we define the schema actx, which enforces that term variables come paired with an algorithmic 
equality assumption algeqP x x t for some type t. 
schema actx = some [t:tp] block x:tm, ax: algeqP x x t; 


3.3 Encoding logical equivalence 

To define logical equivalence, we need the notion of path substitution mentioned in Sec. [2] For this 
purpose, we use Beluga’s built-in notion of simultaneous substitutions. We write [5 I- y] for the built-in 
type of simultaneous substitutions which provide for each variable in the context y a corresponding term 
in the context 8. When y is of schema actx, such a substitution consists of blocks of the form M/x,p/ax 
where M is a term and p is a derivation of algeqP mht, just as we need. 

To achieve nice notation, we define an LF type of pairs of terms, where the infix operator ~ simply 
constructs a pair of terms: 

LF tmpair : type = 

I ~ : tm —> tm —> tmpair "/, infix; 

Logical equivalence, written Log [y F M ~ N] [A], expresses that M and N are logically related in 
context y at type A. We embed contextual objects into computations and recursive types wrapping them 
inside [ ]. Since M and N are used in the context y, by default, they can depend on y. Formally, each of 
these meta-variables is associated with an identity substitution which can be omitted. 

We define Log [y h M ~ N] [a] in Beluga as a stratified type, which is a form of recursive type which 
is defined by structural recursion on one of its indices, as an alternative to an inductive (strictly positive) 
definition. Beluga verifies that this stratification condition is satisfied. In this case, the definition is 
structurally recursive on the type A. 

stratified Log : (y:actx) [y F tmpair] —> [tp] -4 ctype = 

I LogBase : [y F algeqTm M N i] — > Log [y h M ~ N] [i] 

I LogArr : ({5 : actx}{7t: [5 F y]}{Nl:[5 F tm]HN2:[5 F tm]} 

Log [5 F Nl « N2] [T] -4 Log [5 F app MlW Nl sa app M2 M N2] [S]) 

-4 Log [y h Ml k M2] [T 4 S] ; 

At base type, two terms are logically equivalent if they are algorithmically equivalent. At arrow type 
we employ the monotonicity condition mentioned in Sec. [2j Ml is related to M 2 in F if, for any context A, 
path substitution A F n : T, and Nl , N 2 related in A, we have that app Ml [;r] Nl is related to app M 2 [tt] N 2 
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in A. We quantify over (y: actx) in round parentheses, which indicates that it is implicit and recovered 
during reconstruction. Variables quantified in curly braces such as {S: actx} arc passed explicitly. As 
in LF specifications, all free variables occurring in constructor definitions arc reconstructed and bound 
implicitly at the outside. They arc passed implicitly and recovered during reconstruction. 

Crucially, logical equality is monotonic under path substitutions, 
rec log_monotone : {5: actxMTT: [5 F y] } Log [y F Ml ~ M2] [A] —> Log [5 h Ml W ~ M2 [jr] ] [A] 

We show below the mechanized proof of this lemma only to illustrate the general structure of Beluga 
proofs. The proof is simply by case analysis on the logical equivalence. In the base case, we obtain a 
proof P of y F aigeqTm M N i, which we can weaken for free by simply applying n to P. Here we benefit 
significantly from Beluga’s built-in support for simultaneous substitutions; we gain not just weakening 
by a single variable for free as we would in Twelf, but arbitrary simultaneous weakening. The proof 
proceeds in the arrow case by simply composing the two substitutions. We use X as the introduction 
form for universal quantifications over metavariables (contextual objects), for which we use uppercase 
and Greek letters, and fn with lowercase letters for computation-level function types (implications). 

rec log_monotone : {5: actxM7T: [5 F y]} Log [y F Ml ~ M2] [A] —> Log [5 h Ml W ~ M2 [jr] ] [A] = 

1 5,1 O fn e H case e of 
I LogBase [y F P] i-f LogBase [5 F P [jr] ] 

I LogArr f LogArr (A S’, K’ i—r f [5’] [5’ F 7T [7T ’ ] ] ) 

The main lemma is mutually recursive, expressing that path equivalence is included in logical equiv¬ 
alence, and logical equivalence is included in algorithmic term equivalence. This enables “escaping” 
from the logical relation to obtain an algorithmic equality in the end. They are structurally recursive 
on the type. Crucially, in the arrow case, reify instantiates the path substitution n with a weakening 
substitution in order to create a fresh variable. 

rec reflect : {A: [tp]} [y h algeqP Ml M2 A] —> Log [y h Ml ~ M2] [A] 
and reify : {A: [tp]} Log [y F Ml ~ M2] [A] —» [y F aigeqTm Ml M2 A] 

We can state weak head closure directly as follows. The proof is structurally recursive on the type, 
which is implicit. 

rec closed : [y F mstep N1 Ml] —> [y F mstep N2 M2] —> Log [y F Ml ~ M2] [T] 

-f Log [y F N1 ~ N2] [T] 

3.4 Encoding declarative equivalence 

We now define declarative equality of terms, which includes non-algorithmic rules such as transitivity 
and symmetry. Declarative equality makes use of a schema which lists only term variables, which we 
write ctx. 
schema ctx = tm; 

For technical reasons which we will go into more detail on later, we resort to a different treatment of 
typing contexts. We explicitly represent typing contexts detx as a list of types, and declarative equality 
as a computation-level inductive datatype, instead of an LF specification. 

LF detx : type = 

I nil : detx 

I & : detx —T tp —> detx "/, infix ; 

We describe next the result of looking up the type of a variable x in y in typing context T by its 
position. If x is the top variable of y, then its type in I is the type of the top variable of I . Otherwise, if 
looking up the type of x in y yields T, then looking it up in an extended context also yields T. Here we 
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write [7 I- tm] for the contextual type of terms of type tm in context y, and [tp] for (closed) types. We 
use #p for a meta-variable standing for an object-level variable from y (as opposed to a general term). 

inductive Lookup : {lb [dctx] } (y: ctx) [y b tm] —> [tp] -4 ctype = 

I Top : Lookup [r & T] [ 7 ,x:tm b x] [T] 

I Pop : Lookup [r] [7 b #p] [T] —» Lookup [r & S] [y,x:tm b #p] [T] ; 

We write Deci [r] [7 b H ~ N] [T] for declarative equivalence of m and N at type T. We employ the 
convention that F and A stand for typing contexts (of type [dctx] ), while y and 8 stand for corresponding 
term contexts. 

inductive Decl : tX: [dctx]} ( 7 : ctx) [7 b tmpair] -4 [tp] -4 ctype = 

I DecBeta : Decl [r & T] [ 7 ,x:tm b M2 fa N2] [S] -4 Decl [T] [7 b Ml R Nl] [T] 

-4 Decl [r] [7 b app (lam (\x. M2)) Ml R N2[.., Nl]] [S] 

I DecLam : Decl [r & T] [ 7 ,x:tm b M R N] [S] 

-4 Decl [r] [7 b lam (\x. M) R lam (\x. N)] [T => S] 

I DecExt : Decl [r & T] [ 7 ,x:tm b app M x R app N x] [S] 

-4 Decl [r] [7 b H ~ N] [T =4- S] 

I DecVar : Lookup [r] [7 b #p] [T] -4 Decl [r] [7 b #p R #p] [T] 

I DecApp : Decl [Id [7 b Ml R M2] [T => S] -4 Decl X] [7 b Nl k N2] [T] 

-4 Decl [r] [7 b app Ml Nl R app M2 N2] [S] 

I DecSym : Decl [r] [7 b M R N] [T] -4 Decl [r] [y b N R M] [T] 

I DecTrans : Decl [r] [7 b M R N] [T] -4 Decl [r] [7 b N ~ 0] [T] 

-4 Decl [H [7 b M ss 0] [T] ; 

Declarative equality includes a /J rule, as well as an extensionality rule, which states that for two 
terms M and N to be equal at type T =>■ s, it suffices for them to be equal when applied to a fresh variable 
of type T. We again remind the reader that all meta-variables are silently associated with the identity 
substitution; in particular in [7 b lam (\x.M) r lam (\x.N)], the meta-variables M and N are associated 
with the identity substitution on the context y, x:tm. Note that every meta-variable is associated with a 
simultaneous substitutions in Beluga. If this substitution is the identity, then it can be omitted. Hence, 
[7 b lam (\x.M) R lam (\x.N)] is equivalent to Writing [7 b lam (\x.M[.., x] ) R lam (\x.N[. . ,x] )] . 
Written in rj-contracted form this is equivalent to: [7 b lam M r lam n] or making the identity substitu¬ 
tion explicit [7 b lam M [. . ] R lam N [ . . ] ] . 

Note that meta-variables associated with simultaneous substitutions do not exist other systems. For 
example in LF and its implementation in Twelf (fl7l) the context of assumptions is ambient and we cannot 
express dependencies of LF-variables on them. In Twelf, writing lam M is equivalent to its t] -expanded 
form lam \x. M x. 

3.5 Fundamental theorem 

The fundamental theorem requires us to speak of all instantiations of open terms by related substitutions. 
We express here the notion of related substitutions using inductive types. Trivially, empty substitutions, 
written as •, are related at empty domain. If cq and 02 are related at T and Ml and M 2 are related at T, then tq 
,mi and ,M2 are related at b & T. The technical reason we use the schema ctx of term assumptions only 
is that we would like the substitutions m and 02 to cany only terms m, but not derivations aigeqP M m t (or 
declarative equality assumptions). If we had used the schema actx or a schema with declarative equality 
assumptions, the proof of the fundamental theorem would be obligated to construct these derivations, 
which would be more cumbersome. 

inductive LogSub : (y: ctx) (5 : actx) {cq : [5 b y] Mob : [5 b 7 ] HX: [dctx] } ctype = 

I Nil : LogSub [5 b ■] [5 b ■] [nil] 
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I Dot : LogSub [h h (T|] [h b C7 2 ] IX] —> Log [5 b HI ~ M2] [T] 

-> LogSub [5 b Oj , Ml] [5 b 02, M2] [T & T] 

We have a monotonicity lemma for logically equivalent substitutions which is similar to the mono¬ 
tonicity lemma for logically equivalent terms: 

rec wknLogSub : {.71: [S’ b 5]} LogSub [5 b Oi] [5 b (7 2 ] [T] 

—1 LogSub [5’ b CTi [tt] D 18’ b OoItt]] [r] 

The fundamental theorem requires a proof that Ml and M2 are declaratively equal, together with log¬ 
ically related substitutions (5\ and Ob, and produces a proof that Ml [o, ] and M2[o 2 ] are logically related. 
In the transitivity and symmetry cases, we appeal to transitivity and symmetry of logical equivalence, the 
proofs of which can be found in the accompanying Beluga code. 

rec thm : Decl [T] [y b Ml Ri M2] [T] 

— > LogSub [5 b CT]] [5 b Ob] X] 

-r Log [5 b Ml [Oj] Ri M2 [o 2 ] ] [T] = 

We show the lam case of the proof term only to make a high-level comparison to the hand-written 
proof in Sec. [2] Below, one can see that we appeal to monotonicity (wknLogSub), weak head closure 
(closed), and the induction hypothesis on the subderivation di. However, remarkably, there is no explicit 
equational reasoning about substitutions, since applications of substitutions are automatically simplified. 
We refer the reader to (@) for the technical details of this simplification. 

fn d, s i—> case d of 
I DecLam dl i-> 

LogArr (A 8', Jt, Nl, N2 H h rn 

let ih = thm dl (Dot (wknLogSub [5 / ] [5] [5 / b 7t\ s) rn) in 
closed [<5 / b transl beta refl] [5 / b transl beta refl] ih 

) 

Completeness is a corollary of the fundamental theorem. Our statement of the completeness theorem 
is slightly complicated by the fact that declarative equality and algorithmic equality live in different 
context schemas. To overcome this, we describe a predicate EmbedSub [r] [y] [y b i] which states 
that i is a simple weakening substitution which performs the work of moving from term context y: 
ctx to the corresponding (larger) algorithmic equality context y :actx with added algorithmic equality 
assumptions at the types listed in r: [dctx]. Morally, this i substitution plays the role of the identity 
substitution mentioned in Sec. [2] 

inductive EmbedSub : {lb [dctx] }{y: ctx}(y’ : actx) {[: [y ’ by]} ctype = 

I INil : EmbedSub [nil] [] [•] 

I ISnoc : EmbedSub [T] [y] [y’ b l] 

—> EmbedSub [r & T] [y,x:tm] [y’,b: block x:tm,ax:algeqP x x T b l, b.l] 

It is then straightforward to show that embedding substitutions i are logically related to themselves 
using the main lemma. 

rec embed_log : EmbedSub [F] [y] [y’ b l] —> LogSub [F] [y] [y’ b t] [y’ b l] 

The completeness theorem is stated below, and follows trivially by composing the fundamental the¬ 
orem with embed_iog and the main lemma to escape the logical relation. 

rec completeness : EmbedSub [F] [y] [y’ b l] —> Decl [F] [y b Ml Ri M2] [T] 

[y> b algeqTm Ml [l] M2 [l] T] 

It is unfortunate that this transportation from y to y is required by the current framework of contextual 
types, since intuitively the algorithmic equality assumptions in y are completely irrelevant for the terms 
Ml and M2. It’s an open problem how to improve on this. 
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3.6 Remarks 


As part of the totality checker, Bel- 
1 , and a stratification check for logical 


The proof passes Beluga’s typechecking and totality checking 
uga performs a strict positivity check for inductive types (19); |2C 
relation-style definitions. 

Beluga’s built-in support for simultaneous substitutions is a big win for this proof. The proof of the 
monotonicity lemma is very simple, since the (simultaneous) weakening of algorithmic equality comes 
for free, and there is no need for explicit reasoning about substitution equations in the fundamental 
theorem or elsewhere. We also found that the technique of quantifying over path substitutions as op¬ 
posed to quantifying over all extensions of a context to work surprisingly well. However, it seems to 
be non-obvious when this technique will work. In an earlier version of this proof, we had resorted to 
explicitly enforcing that the substitution n contained only variables, limiting its capabilities to weaken¬ 
ing, exchange, and contraction. This was done with an inductive datatype like the following, where the 
contextual type # [5 I- tm] contains only variables of type tm: 


datatype IsRenaming : {/:ctx}(5:ctx) b y] } ctype = 

I Nil : I sRenaming [] [5 b ■] 

I Cons : {#p:#[<5 b tm]} IsRenaming [y] [5 b 7t] —>• IsRenaming [y,x:tm] [5 b 71 , #p] 


We were surprised to learn that in fact this restriction was unnecessary, and we could instead simply 
directly quantify over path substitutions, as the schema actx we rely on in our proof already effectively 
restricts the substitutions we can build. However, we suspect that the technique of explicitly restricting 
to renaming substitutions may still be necessary in some cases, and that it might be convenient to have a 
built-in type of these renaming-only substitutions. 

We remark that the completeness theorem can in fact be executed, viewing it as an algorithm for nor¬ 
malizing derivations in the declarative system to derivations in the algorithmic system. The extension to 
a proof of decidability would be a correct-by-construction functional algorithm for the decision problem. 
This is a unique feature of carrying out the proof in a type-theoretic setting like Beluga, where the proof 
language also serves as a computation language. 

Some aspects of this proof could still be improved. In particular, our treatment of the different context 
schemas and the relationship between them seems unsatisfactory. We had to do a bit of work in order to 
move terms from y:ctx to y’ :actx, and this polluted the final statement of the completeness theorem. It 
can also be difficult to know when to resort to using an explicit context and a computation-level datatype, 
like we did for declarative equality. This suggests there is room for improvement in Beluga’s treatment 
of contexts, and we are exploring possible approaches. 

Furthermore, one might argue that having to explicitly apply the path substitutions k to terms like 
M[n\ is somewhat unsatisfactory, so one might wish for the ability to directly perform the bounded 
quantification VA > T and a notion of subtyping which permits for example [b b tm] < [A b tm] . This 
is also a possibility we are exploring. 

Overall, we found that that the tools provided by Beluga, especially its support for simultaneous 
substitutions, worked remarkably well to express this proof and to obviate the need for bureaucratic 
lemmas about substitutions and contexts, and we are optimistic that these techniques can scale to many 
other varieties of logical relations proofs. 


4 Related Work 

Mechanizing proofs by logical relations is an excellent benchmark to evaluate the power and elegance of 
a given proof development. Because it requires nested quantification and recursive definitions, encoding 
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logical relations has been particularly challening for systems supporting HOAS encodings. 

There are two main approaches to support reasoning about HOAS encodings: 1) In the proof- 
theoretic approaches, we adopt a two-level system where we implement a specification logic (similar 
to LF) inside a higher-order logic supporting (co)inductive definitions, the approach taken in Abella (@), 
or type theory, the aproach taken in Hybrid (|8j). To distinguish in the proof theory between quan¬ 
tification over variables and quantification over terms, <© introduce a new quantifier, V, to describe 
nominal abstraction logically. To encode logical relations one uses recursive definitions which are part 
of the reasoning logic (11). Induction in these systems is typically supported by reasoning about the 
height of a proof tree; this reduces reasoning to induction over natural numbers, although much of this 
complexity can be hidden in Abella. Compared to our development in Beluga, Abella lacks support 
for modelling a context of assumptions and simultanous substitutions. As a consequence, some of the 
tedious basic infrastructure to reason about open and closed terms and substitutions still needs to be built 
and maintained. Moreover, Abella's inductive proofs cannot be executed and do not yield a program for 
normalizing derivations. It is also not clear what is the most effective way to perform the quantification 
over all extensions of a context in Abella. 


2) The type-theoretic approaches fall into two categories: we either remain within the logical frame¬ 
work and encode proofs as relations as advocated in Twelf 0) or we build a dependently typed func¬ 
tional language on top of LF to support reasoning about LF specifications as done in Beluga. The former 
approach lacks logical strength; the function space in LF is “weak” and only represents binding structures 
instead of computations. To circumvent these limitations, (25)) proposes to implement a reasoning logic 
within LF and then use it to encode logical relation arguments. This approach scales to richer calculi 
(24) and avoids reasoning about contexts, open terms and simultanous substitutions explicitly. However, 
one might argue that it not only requires additional work to build up a reasoning logic within LF and 
prove its consistency, but is also conceptually different from what one is used to from on-paper proofs. It 
is also less clear whether the approach scales easily to proving completeness of algorithmic equality due 
to the need to talk about context extensions in the definition of logical equivalence of terms of function 
type. 

Outside the world of HOAS, (fl6h have carried out essentially the same proof in Nominal Isabelle, 
and later (|27|) tackle the extension from the simply-typed lambda calculus to LF. Relative to their ap¬ 
proach, Beluga gains substitution for free, but more importantly, equations on substitutions are silently 
discharged by Beluga’s built-in support for their equational theory, so they do not even appear in proofs. 
In contrast, proving these equations manually requires roughly a dozen intricate lemmas. 


5 Conclusion 


Our implementation of completeness of algorithmic equality takes advantage of key infrastructure pro¬ 
vided by Beluga: it utilizes first-class simultaneous substitutions, contexts, contextual objects and the 
power of recursive types. This yields a direct and compact implementation of all the necessary proofs 
which directly correspond to their on-paper developments. Moreover, our proof yields an executable 
program. While more work on Beluga’s frontend will improve and make simpler such developments, 
we have demonstrated that the core language is not only suitable for standard structural induction proofs 
such as type safety, but also proofs by logical relations. 
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